From 22546df6d9ba9ca4523142d98b5e70f6db213f3e Mon Sep 17 00:00:00 2001
From: Feross Aboukhadijeh <feross@feross.org>
Date: Tue, 27 Aug 2019 13:28:17 -0700
Subject: [PATCH 1/3] Fix http server XSS

Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context.

The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain.

This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own):

1. HTML-escape untrusted torrent metadata (name, path, file names, etc.)

2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied.
---
 lib/server.js | 49 +++++++++++++++++++++++++++++++++++++++++++------
 package.json  |  1 +
 2 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/lib/server.js b/lib/server.js
index 0dcce212..ef3ea4c5 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -1,4 +1,5 @@
 const arrayRemove = require('unordered-array-remove')
+const escapeHtml = require('escape-html')
 const http = require('http')
 const mime = require('mime')
 const pump = require('pump')
@@ -90,6 +91,9 @@ function Server (torrent, opts = {}) {
     // Prevent browser mime-type sniffing
     res.setHeader('X-Content-Type-Options', 'nosniff')
 
+    // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS
+    res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';")
+
     // Allow CORS requests to specify arbitrary headers, e.g. 'Range',
     // by responding to the OPTIONS preflight request with the specified
     // origin and requested headers.
@@ -147,11 +151,26 @@ function Server (torrent, opts = {}) {
       res.statusCode = 200
       res.setHeader('Content-Type', 'text/html')
 
-      const listHtml = torrent.files.map((file, i) => `<li><a download="${file.name}" href="/${i}/${file.name}">${file.path}</a> (${file.length} bytes)</li>`).join('<br>')
+      const listHtml = torrent.files
+        .map((file, i) => (
+          `<li>
+            <a
+              download="${escapeHtml(file.name)}"
+              href="/${escapeHtml(i)}/${escapeHtml(file.name)}"
+            >
+              ${escapeHtml(file.path)}
+            </a>
+            (${escapeHtml(file.length)} bytes)
+          </li>`
+        ))
+        .join('<br>')
 
       const html = getPageHTML(
-        `${torrent.name} - WebTorrent`,
-        `<h1>${torrent.name}</h1><ol>${listHtml}</ol>`
+        `${escapeHtml(torrent.name)} - WebTorrent`,
+        `
+          <h1>${escapeHtml(torrent.name)}</h1>
+          <ol>${listHtml}</ol>
+        `
       )
       res.end(html)
     }
@@ -160,7 +179,10 @@ function Server (torrent, opts = {}) {
       res.statusCode = 404
       res.setHeader('Content-Type', 'text/html')
 
-      const html = getPageHTML('404 - Not Found', '<h1>404 - Not Found</h1>')
+      const html = getPageHTML(
+        '404 - Not Found',
+        '<h1>404 - Not Found</h1>'
+      )
       res.end(html)
     }
 
@@ -214,7 +236,10 @@ function Server (torrent, opts = {}) {
     function serveMethodNotAllowed () {
       res.statusCode = 405
       res.setHeader('Content-Type', 'text/html')
-      const html = getPageHTML('405 - Method Not Allowed', '<h1>405 - Method Not Allowed</h1>')
+      const html = getPageHTML(
+        '405 - Method Not Allowed',
+        '<h1>405 - Method Not Allowed</h1>'
+      )
       res.end(html)
     }
   }
@@ -222,8 +247,20 @@ function Server (torrent, opts = {}) {
   return server
 }
 
+// NOTE: Arguments must already be HTML-escaped
 function getPageHTML (title, pageHtml) {
-  return `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>${title}</title></head><body>${pageHtml}</body></html>`
+  return `
+    <!DOCTYPE html>
+    <html lang="en">
+      <head>
+        <meta charset="utf-8">
+        <title>${title}</title>
+      </head>
+      <body>
+        ${pageHtml}
+      </body>
+    </html>
+  `
 }
 
 // From https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
diff --git a/package.json b/package.json
index e409416f..f9ba2d49 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,7 @@
     "create-torrent": "^4.0.0",
     "debug": "^4.1.0",
     "end-of-stream": "^1.1.0",
+    "escape-html": "^1.0.3",
     "fs-chunk-store": "^2.0.0",
     "http-node": "github:feross/http-node#cddd2872f0020ecf5016f326cf5e58c965eef52a",
     "immediate-chunk-store": "^2.0.0",

From cdf1159cc0227b1f85c4a52263cbd33bc4ed5242 Mon Sep 17 00:00:00 2001
From: Feross Aboukhadijeh <feross@feross.org>
Date: Tue, 27 Aug 2019 13:47:57 -0700
Subject: [PATCH 2/3] Set security headers on /favicon.ico responses

---
 lib/server.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/server.js b/lib/server.js
index ef3ea4c5..c8a5488c 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -79,10 +79,6 @@ function Server (torrent, opts = {}) {
 
     const pathname = new URL(req.url, 'http://example.com').pathname
 
-    if (pathname === '/favicon.ico') {
-      return serve404Page()
-    }
-
     // Allow cross-origin requests (CORS)
     if (isOriginAllowed(req)) {
       res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
@@ -94,6 +90,10 @@ function Server (torrent, opts = {}) {
     // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS
     res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';")
 
+    if (pathname === '/favicon.ico') {
+      return serve404Page()
+    }
+
     // Allow CORS requests to specify arbitrary headers, e.g. 'Range',
     // by responding to the OPTIONS preflight request with the specified
     // origin and requested headers.

From 9029557ca3d22faef67315f8ed33df295ce6d59e Mon Sep 17 00:00:00 2001
From: Feross Aboukhadijeh <feross@feross.org>
Date: Tue, 27 Aug 2019 13:50:19 -0700
Subject: [PATCH 3/3] Address @diracdeltas feedback on #1714

---
 lib/server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/server.js b/lib/server.js
index c8a5488c..9fb725d0 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -88,7 +88,7 @@ function Server (torrent, opts = {}) {
     res.setHeader('X-Content-Type-Options', 'nosniff')
 
     // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS
-    res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';")
+    res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; form-action 'none';")
 
     if (pathname === '/favicon.ico') {
       return serve404Page()